MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 9
| SHA256 hash: | 98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6 |
|---|---|
| SHA3-384 hash: | b1bf7e80fbdc2bfbe3723c5f607fb30eb3292e4246e81ff7b941a1598b29958cbc2dea3d4e113be0627e2153e9989733 |
| SHA1 hash: | 2affdf99938bc10d32fa116241941115e0437ce2 |
| MD5 hash: | 1dbb3736d491a2f652d350f3d535eef4 |
| humanhash: | nineteen-fish-minnesota-robin |
| File name: | DriverUpdate.exe |
| Download: | download sample |
| File size: | 1'544'096 bytes |
| First seen: | 2025-04-22 21:56:49 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 57e98d9a5a72c8d7ad8fb7a6a58b3daf (60 x GuLoader, 20 x AZORult, 12 x RemcosRAT) |
| ssdeep | 24576:+szPBVF4oBvzz6ttMA+z/fUtqk+1Vw3ijU8LLsYk/ve3Na9TZn1TH/4+RC17W2ZZ:PpV7Nz8tN+zEwxA8Lsb/ve3m7f4+RClJ |
| TLSH | T17065124B44EC6751CA7A0C75E4F35025CDDE9FEC1460468A9EE9396437F6BA8383A03B |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| File icon (PE): |  |
| dhash icon | 0b3860cccc603407 |
| Reporter |  FelloBoiYuuka |
| Tags: | Adware exe signed |
Code Signing Certificate
| Organisation: | Driver Support |
|---|---|
| Issuer: | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 |
| Algorithm: | sha256WithRSAEncryption |
| Valid from: | 2022-06-21T00:00:00Z |
| Valid to: | 2025-06-20T23:59:59Z |
| Serial number: | 0a7e757ef4ace48159186eacc7dd498a |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | 11b7fc47699dcad36ac7a2bcd51d6766ea5f2637343f4721e45d27ff9d954abd |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
Intelligence
File Origin
# of uploads :
1
# of downloads :
541
Origin country :
CAVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DriverUpdate.exe
Verdict:
Malicious activity
Analysis date:
2024-06-15 19:06:00 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Verdict:
Malicious
Score:
93.3%
Tags:
sage remo blic
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a file
Сreating synchronization primitives
Connection attempt
DNS request
Sending a custom TCP request
Connecting to a non-recommended domain
Creating a window
Searching for the window
Searching for synchronization primitives
Verdict:
Unknown
Threat level:
2.5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc overlay signed
Verdict:
Unknown
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
36 / 100
Signature
Antivirus detection for URL or domain
Behaviour
Behavior Graph:
Score:
43%
Verdict:
Susipicious
File Type:
PE
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
bootkit discovery execution persistence spyware stealer upx
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
System Time Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
UPX packed file
Adds Run key to start application
Downloads MZ/PE file
Enumerates connected drives
Network Service Discovery
Writes to the Master Boot Record (MBR)
ACProtect 1.3x - 1.4x DLL software
Drops file in Drivers directory
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
MD5 hash:
1dbb3736d491a2f652d350f3d535eef4
SHA1 hash:
2affdf99938bc10d32fa116241941115e0437ce2
SH256 hash:
eda02e626e8ca71dbff5389c062f9e9542661b43413b0a37ae3d262567145ce2
MD5 hash:
16e134ec014d74e9b798c9b3fae3ddcc
SHA1 hash:
1a8cc259f7b193018167484c30d8803b09ed228e
SH256 hash:
d5684110f61200ac1142648f06a4df3ee30acf38b96538496c33cac69942c4cc
MD5 hash:
14b655f0567e2d13459a4c77b2641ad8
SHA1 hash:
16f073c74680f4ef8b6b477e86b75d8f136824c2
SH256 hash:
39c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91
MD5 hash:
f18364fa5084add86c6e73e457404f18
SHA1 hash:
6d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a
SH256 hash:
4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39
MD5 hash:
ea60c7bd5edd6048601729bd31362c16
SHA1 hash:
6e6919d969eb61a141595014395b6c3f44139073
SH256 hash:
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
MD5 hash:
55a26d7800446f1373056064c64c3ce8
SHA1 hash:
80256857e9a0a9c8897923b717f3435295a76002
Detections:
win_qtbot_auto
Parent samples :
dda0f5b8759220bdbd8e5dba8bff49868b12e1d5e3bd273b366050dab0c8dd4f
e689963b4319dd5d5249ac1c629af5951f4e90db8040bf7ee33492e54c2c6487
bba7b7e91056db7fb6f628ab6478960b96c1a9d8606d6d5b4d74d5043b2bad79
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
2952bf5efc5b011349d22cbe6e7a813f0ae014d145f23115184a36a1448262d0
4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787
830b4dcec27e5d45a9bb7bc538fc026e4af5c3a18de4a71e80b066afe059ac54
2db92a3fa08dc8e97b4f2651e9ec1d123d2556ce5bc7ec9474672767f6505e26
f2b345fcebcd9ed2e342399cfe9819abee7c3642efb6279ad3b4c940555d4564
101057440710c8766fc47fb315ba9fb471c633079c034d5d213e3011cfe075a9
252c26a5ea749569e41b4ce291ea4ff21d08ca884123c8ff171433a359455033
601bc4c4ff50e846a29e702f894f72b8cea1c7c200b363795ed7905784dde043
337b4c24e057d2585f87ed8ad3711ea4c59a3ae1b0895176d983bbc0c64a1d11
1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
31eb29c56f113f47c0e4d29f346f685db8a00b9394efa9643caafa254f0618d7
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
406a9e03ab016d68a3aa919ac67397a83081f3ef478baf752d90545ec0fac6dc
e1e722daed3f9e886b15a541de7d67a023f42b2af431a5b6879ad7d32a1c36bf
170825eaa838a2e43fc76d3ad458982182f7b5471554ffd993525fd928b21d3d
1d8f40654fc90da579349546b0c74fc7334ad8a6fcbf21f87815715e644950d1
2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af
f338b027a3117b82aafca870aaecb64264f238055afd3d598c90ef102092022a
3a66e54745e3455f2a8ecf35cc2ae7f3e4c7f960b547a65a55ac8ee4209b37e4
a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
8e90738e8d2c488ac315737c15f39a977d989200cdb20b42a63a1f7bc8438a1e
f214476db64248c82861c7b27fd55186beaf2e292cbe013d47f17305c3b2e95d
8da8762a0f3794de100bd1800856136928880e8a9d0be42eb758809bca1bd0e3
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
ec06ca55bb1ff5e2c51e7756302a11bfc5341b6baa323788d93d646bd84602da
9a66af305ab345c37b408f496c0ad1251e1346f41586742df225af2c6564d576
9b2665438001f2c82c0737efac921004f3435efb29d1edffede8e45683a164a9
e689963b4319dd5d5249ac1c629af5951f4e90db8040bf7ee33492e54c2c6487
bba7b7e91056db7fb6f628ab6478960b96c1a9d8606d6d5b4d74d5043b2bad79
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
2952bf5efc5b011349d22cbe6e7a813f0ae014d145f23115184a36a1448262d0
4bc7c76462ca49d995702befda5647f40b729659d1d97129723ab1eb4ed45787
830b4dcec27e5d45a9bb7bc538fc026e4af5c3a18de4a71e80b066afe059ac54
2db92a3fa08dc8e97b4f2651e9ec1d123d2556ce5bc7ec9474672767f6505e26
f2b345fcebcd9ed2e342399cfe9819abee7c3642efb6279ad3b4c940555d4564
101057440710c8766fc47fb315ba9fb471c633079c034d5d213e3011cfe075a9
252c26a5ea749569e41b4ce291ea4ff21d08ca884123c8ff171433a359455033
601bc4c4ff50e846a29e702f894f72b8cea1c7c200b363795ed7905784dde043
337b4c24e057d2585f87ed8ad3711ea4c59a3ae1b0895176d983bbc0c64a1d11
1a5e14258f116f3143a071373ce8e7d89bd644c4b88d6da1133e523721329764
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
31eb29c56f113f47c0e4d29f346f685db8a00b9394efa9643caafa254f0618d7
dfae751806a1becfa849574b7b2a243f902550f1f72458bed5bc03779fea2f0b
d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
406a9e03ab016d68a3aa919ac67397a83081f3ef478baf752d90545ec0fac6dc
e1e722daed3f9e886b15a541de7d67a023f42b2af431a5b6879ad7d32a1c36bf
170825eaa838a2e43fc76d3ad458982182f7b5471554ffd993525fd928b21d3d
1d8f40654fc90da579349546b0c74fc7334ad8a6fcbf21f87815715e644950d1
2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af
f338b027a3117b82aafca870aaecb64264f238055afd3d598c90ef102092022a
3a66e54745e3455f2a8ecf35cc2ae7f3e4c7f960b547a65a55ac8ee4209b37e4
a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
8e90738e8d2c488ac315737c15f39a977d989200cdb20b42a63a1f7bc8438a1e
f214476db64248c82861c7b27fd55186beaf2e292cbe013d47f17305c3b2e95d
8da8762a0f3794de100bd1800856136928880e8a9d0be42eb758809bca1bd0e3
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
ec06ca55bb1ff5e2c51e7756302a11bfc5341b6baa323788d93d646bd84602da
9a66af305ab345c37b408f496c0ad1251e1346f41586742df225af2c6564d576
9b2665438001f2c82c0737efac921004f3435efb29d1edffede8e45683a164a9
SH256 hash:
f72c92e47c94557571bf5d4e196f6468cabfdae499250941ce551a2f2decf85f
MD5 hash:
bf08dfb920985e3066e51575a2ad0970
SHA1 hash:
9929de19d19daca12291eca004a49ed674fce4e5
SH256 hash:
5f9d4b41a10578f98e469466e55feb0141644842a4e246b2cbae6666cebd69a3
MD5 hash:
90f7c0f400fdc219ae149ede95c06cfd
SHA1 hash:
a39c3bc64c9dc68fbc44d729511b03ed4573e6aa
SH256 hash:
c1cc3aa4326e83a73a778dee0cf9afcc03a6bafb0a32cea791a27eb9c2288985
MD5 hash:
ee449b0adce56fbfa433b0239f3f81be
SHA1 hash:
ec1e4f9815ea592a3f19b1fe473329b8ddfa201c
SH256 hash:
c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
MD5 hash:
b38561661a7164e3bbb04edc3718fe89
SHA1 hash:
f13c873c8db121ba21244b1e9a457204360d543f
Detections:
win_flawedammyy_auto
Parent samples :
99aa0a112de10ceb2072e32e189befed18db5ce294787bf9b2dbe0ef643ba62c
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
b07907ce3ee14b8128039ecb8e635976fc216c77035d5bf38f42ed900197c879
87ad183c319765afb8556ac2ed508d2687c85b43b0848d251b87edbf0279fb97
27d75cacb0ec5845bd163635926ca0ecef4ea1bb92032df9e81e64b6e406e5a2
f95a2ee16ee39b92e9e3a5c87605021ff09d35ecf7eae9acaf6ea58c38ded834
e1c36731adad52dc563b7b172b6a4222f5449f134707e915714b7bb13392afd9
e9934abfdede625607cf46cbf7afe5dcab892e94117ab3bf827dafcf6be5eef1
dda95c5fac8c1882520a76aeb8dc397346e3f38bc6cb11aee7d96feea0d3a086
0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
907d76317c31e9ca799beeef08144d12f5005fcb4acf17848f9f467e098648d9
98598c90bd75b930aba968467f4b540a5784aa28612b8010d8a9cf31992843c6
SH256 hash:
d0949b4c0640ee6a80db5a7f6d93fc631ed194de197d79bf080ec1752c6f1166
MD5 hash:
c051c86f6fa84ac87efb0cf3961950a1
SHA1 hash:
f18f4bb803099b80a3a013ecb03fea11cff0ac01
SH256 hash:
962b4dc2b00567df42caa112275da46b8c4f41875410efbe3eba949dcab3a098
MD5 hash:
0f88cc45aa3d08492faf6861a31201ee
SHA1 hash:
885219fbb90f8cf6176a16827e1e1e7ded506bc9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Adware
Score:
0.40
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Ins_NSIS_Buer_Nov_2020_1 |
|---|---|
| Author: | Arkbird_SOLG |
| Description: | Detect NSIS installer used for Buer loader |
| Rule name: | PE_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_TRUST_INFO | Requires Elevated Execution (level:requireAdministrator) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::SetFileSecurityA |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExA SHELL32.dll::SHFileOperationA SHELL32.dll::SHGetFileInfoA |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessA ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::LoadLibraryExA KERNEL32.dll::GetDiskFreeSpaceA KERNEL32.dll::GetCommandLineA |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileA KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::MoveFileExA KERNEL32.dll::MoveFileA |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::LookupPrivilegeValueA |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA |
| WIN_USER_API | Performs GUI Actions | USER32.dll::AppendMenuA USER32.dll::EmptyClipboard USER32.dll::FindWindowExA USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.